Early in 2011, the Telecom Regulatory Authority of India (“TRAI”) had released the Telecom Commercial Communications Customer Preference Regulations, 2010 for registration and regulation of telemarketers, both existing and new. The main objective of this regulation was to ensure that consumers do not get promotional communication from commercial or other establishments unless they have specifically opted for receiving them. Once the registration process is commenced, advertisers and commercial establishments will only be able to utilize the services of a registered telemarketer, and this will also allow a close monitoring so that the use of telemarketing is done only to reach customers who have opted to be solicited by such calls. The registration process calls for the telemarketer (which can be a firm, company or individual) to provide a few details such as PAN number etc. and contact address, the purpose of which presumable is to ensure compliance with the regulations. This is a novel method for regulating solicitation calls going to individual consumers to provide services and is now recognized as a media to reach the consumers, apart from print and television.
Tightening noose on unsolicited calls
During 2011, TRAI also introduced a draft regulation to regulate unsolicited commercial communications and has prescribed a limit of 100 SMS per day per SIM for all the customers. Before this, the telecom service providers offered 2000 SMS per day packages. The regulations provide that no access provider shall provide any tariff plan or SMS package in any form to any person other than a registered telemarketer permitting sending of more than 100 SMS per day per SIM except on ‘blackout days’ and additional days as may be specified by TRAI. The transactional messages do not fall within the purview of transactional messages such as from a bank to its customers or from Airlines to its passengers and likewise from the schools to the students/parents. There is a time restriction of 9 pm to 9 am for sending SMS which again do not apply to transactional messages. There are certain exclusions from the limit of 100 SMS per day per SIM for the dealers of the telecom service providers and DTH Operators for sending request for electronic recharge on mobile numbers, e-ticketing agencies for responding to e-ticketing request made by its customers, the social networking sites to its members pertaining to activities relating to their accounts based on their verifiable options and agencies providing directory services. TRAI is monitoring and enforcing the regulations for protection of customers from unsolicited commercial calls and SMSs. In this regard Vodafone penalized the first batch of telemarketers by deducting penalty amount from their security deposits on October 12, 2011 and has deposited INR 50,000 with TRAI in compliance to the regulations.
Self-regulation ‘Council’ for media
The MIB has proposed to set up a two-tier system for redressal for the consumers while also recommending establishment of a 13-member Broadcast Content Complaints Council (“BCCC”). Where complaints or opinions are not addressed by channels, they now have a recourse to the BCCC. It was also suggested that consumers should be able to reach the BCCC directly and this proposal was being discussed with political parties before a formal regulation is proposed. Since the Indian Broadcasting Foundation’s redressal committee will ascertain self-regulation of all non-news channels, many channels now display a message requiring any person aggrieved by the contents to file a complaint. For broadcasters, this means that the industry pro-actively makes sure its contents are honest, decent, truthful and legal. This will allow the industry to build up a strong trust relationship with the consumer.
Draft rules for “reasonable security measures” under section 43A of the IT Act
The Department of Information Technology (“DIT”) has released rules under section 43A of the Information Technology Act, 2000 (“IT Act”) under which the obligation to take reasonable security measures has been prescribed on persons and companies, dealing with sensitive personal information. The rules are titled Information Technology (Reasonable security practices and procedures and sensitive personal information) Rules, 2011, under which the DIT has included the International Standard IS/ISO/IEC 27001 for information security management requirements as the guiding standard for security techniques to be applied for data security. The rules also provide the much needed definition of “sensitive personal information” and has been drafted in-line with the UID project that is underway. From the rules it appears that the DIT has considered internationally accepted standards for data protection, however it is not clear as to why no protocols have been provided for data or information since the rules provide only for sensitive personal information.
Amendment to IT Act
The IT Act requires (under section 43A) a body corporate to implement and maintain reasonable security practices and procedures for protecting sensitive personal data or information of any person in a computer resource which it owns, controls or operates. A body corporate is defined in clause (i) of explanation to section 43A of the Act as “any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities.” If a body corporate is negligent in this regard which causes wrongful loss or wrongful gain to any person, then it is liable to pay damages by way of compensation to the affected person. The amendment, however, did not provide the definition of “sensitive personal data or information” and the scope and guidelines for “reasonable security practices and procedures.” On April 13, 2011, the Ministry of Communication and Information Technology notified these aspects in the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (“Rules”) along with the Information Technology (Intermediaries Guidelines) Rules, 2011 (“Intermediaries Guidelines”) and the Information Technology (Guidelines for Cyber Café) Rules, 2011. The Rules could have a profound effect on the outsourcing business units operating in India and all body corporates that collect and use personal data of persons, both within and outside India.
TRAI contemplating Cloud Computing regulation framework
In the latter half of 2011, TRAI called for papers on the proposed regulatory framework for cloud computing in India. TRAI, in announcing the call for papers, showed its awareness of the growing phenomenon and the practical issues surrounding the same. TRAI has enumerated and highlighted several key areas of focus while calling for suggestions such as regulatory framework for cloud computing, ensuring high availability levels, data erasing in the cloud, data privacy at service provider end, data security, data export restrictions, monitoring data handling regulations required for regulated Industries (financial services healthcare), multiple jurisdictions/areas when data is stored at different data centers, enhanced security cloud computing services, ensuring quality of the cloud service, exit strategies and switching suppliers, cloud television/cloud computing on TV – levels of QoS, inter-operable between cloud service providers (common protocols), etc.
New Telecom Policy 2011
The Policy aims to make the country’s telecommunications sector more transparent, relax merger and acquisition norms to encourage consolidation and also give more teeth to TRAI. The Policy suggests the creation of technology neutral unified licenses (under the One Nation-One License) policy, that is envisaged in two separate categories – (i) the Network Service Operator/Communication Network Service Operator, which is licensed to maintain converged networks for delivering “various types of services e.g. Voice, Data, Video, broadcast, IPTV, VAS etc.”, very importantly, in a non-exclusive and non-discriminatory manner; and (ii) a Service Delivery Operator/Communication Service Delivery Operator. The Service Delivery Operator would be licensed to deliver any/all services e.g. tele-services (voice, data, video), internet/broadband, broadcast services, IPTV, value added service and content delivery services etc. The Policy will de-link licences from spectrum and the tenure of mobile permits would be halved to 10 years when they come up for renewal. The draft plan also proposes to do away with roaming charges, introduce a stronger customer grievance redressal mechanism, recognize telecoms as an infrastructure sector giving it tax concessions, and extend preferential status to “Made in India” hardware products. The Policy clearly talks about a clear separation of content and its carriage, a separation of content and services from their carriage. The thrust of this Policy is to underscore the imperative that sustained adoption of technology would offer viable options in overcoming developmental challenges in education, health, employment generation, financial inclusion and much else.
New generic domains
Internet Corporation for Assigned Names and Numbers (“ICANN”) has approved plans to launch a potentially unlimited number of new generic top-level domains (“gTLDs”) which will expand the number of generic domains from the current set of 22 domains (including .com, .org, and .net) to as many as 1,000. Pursuant to this new beginning, companies and other organizations will be able to create their own domains with their brand names like .apple or .nokia and will have broad implications for them. Interestingly, industry designations will also become a possibility like .pharma, .technology. Finally, domain for terms like .red, .tender, or .fiction is also possible. The new gTLDs will change the way people find information on the internet and how businesses plan and structure their online presence, quoted ICANN in its press release on its website. An applicant guidebook has also been released on May 30 this year which is still being discussed by stakeholders and may undergo revision. Applications for new domains will be accepted from January 12, 2012 until April 12, 2012 and the first gTLD is expected to be launched in 2013. These domains can be in any character like devanagiri, Kanji or Russian, for instance. Technically, any word can be used in domain names. It has the potential to change the complete face of internet.
PSA view – This year has seen quite a few changes in the telecom and information technology regulatory regime. On the one hand, there has been a restriction on telemarketers and unsolicited calls, there has been introduction of self-regulation in the media sector. There have also been a few guidelines that have been announced for regulation of areas which were previously unregulated in light of the development of technology, namely cloud computing, which seek to create a stable and secure environment for data intensive activities in India. This is supported by the announcement of the intermediary guidelines in 2011 which casts an additional obligation on service providers to ensure compliance with the law of the land. The telecom sector had faced a huge scar in light of the exposed 2G scam, but also swift remedial action in the form of the recently announced Telecom Policy 2011 which focuses on transparency and give more authority to the regulator.
In short, 2011 has been a year of changes which seek to improve the existing legislative and regulatory framework for making India an attractive destination for investment as well as consumer friendly jurisdiction. We hope the regulators continue this upward path in 2012 as well.